The
rebinding exploits lets attackers resolve web domains to the user's computer,
essentially giving them illegal access to the user’s personal data.This illegal
approach could help them to execute remote code, download malware to Windows'
start up folder, grab downloaded files and access the download history of the
user.

The flaws
address on all unpatched versions, including uTorrent Web. Bit Torrent
engineering VP Dave Rees says that the flaws in the conventional client have
been fixed in beta versions released last week. Adding further that those that
are on the stable releases are set to release in the coming week.

Ormandy
was initially more concerned that Bit Torrent hadn't appropriately settled
uTorrent Web's issues and also partly stressed by the recurring in lack of
communication after reporting the fix in December, but Rees later added that
the patch is now in place that should address that exploit, the full statement
of his is below:

"On December
4, 2017, we were made aware of several vulnerabilities in the uTorrent and Bit
Torrent Windows desktop clients. We began work immediately to address the
issue. Our fix is complete and is available in the most recent beta release
(build 3.5.3.44352 released on 16 Feb 2018). This week, we will begin to
deliver it to our installed base of users. All users will be updated with the
fix automatically over the following days. The nature of the exploit is such
that an attacker could craft a URL that would cause actions to trigger in the
client without the user's consent (e.g. adding a torrent).”

"Bit Torrent
was also made aware yesterday that its new beta product, uTorrent Web, is
vulnerable to a similar bug. This is a different product and wasn't covered by
the original vulnerabilities. The team behind uTorrent Web released a patch for
that issue yesterday and we highly encourage all uTorrent Web customers to
update to the latest available build 0.12.0.502 available on our website
https://web.utorrent.com and also via the in-application update notification.”

"As always, we
encourage all customers to always stay up to date."

It's not
certain till now whether anyone has made use of the exploits in the wild or
not. Having said that, it’s smarter to stay wary as it would only take a visit
to the wrong website to trigger an attack, and the consequences following it
could be particularly severe.